Preventing neural network model exfiltration in machine learning hardware accelerators

Mihailo Isakov; Lake Bu; Hai Cheng; Michel A. Kinsy

doi:10.1109/AsianHOST.2018.8607161

Preventing neural network model exfiltration in machine learning hardware accelerators

Mihailo Isakov, Lake Bu, Hai Cheng, Michel A. Kinsy

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

10 Scopus citations

Abstract

Machine learning (ML) models are often trained using private datasets that are very expensive to collect, or highly sensitive, using large amounts of computing power. The models are commonly exposed either through online APIs, or used in hardware devices deployed in the field or given to the end users. This provides an incentive for adversaries to steal these ML models as a proxy for gathering datasets. While API-based model exfiltration has been studied before, the theft and protection of machine learning models on hardware devices have not been explored as of now. In this work, we examine this important aspect of the design and deployment of ML models. We illustrate how an attacker may acquire either the model or the model architecture through memory probing, side-channels, or crafted input attacks, and propose (1) power-efficient obfuscation as an alternative to encryption, and (2) timing side-channel countermeasures.

Original language	English (US)
Title of host publication	Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	62-67
Number of pages	6
ISBN (Electronic)	9781538674710
DOIs	https://doi.org/10.1109/AsianHOST.2018.8607161
State	Published - Jan 9 2019
Externally published	Yes
Event	2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018 - Hong Kong, Hong Kong Duration: Dec 17 2018 → Dec 18 2018

Publication series

Name	Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018

Conference

Conference	2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018
Country/Territory	Hong Kong
City	Hong Kong
Period	12/17/18 → 12/18/18

Keywords

Neural network
hardware security
inference
memory probing
model exfiltration
model theft
side-channels

ASJC Scopus subject areas

Hardware and Architecture
Safety, Risk, Reliability and Quality
Computer Networks and Communications

Access to Document

10.1109/AsianHOST.2018.8607161

Cite this

Isakov, M., Bu, L., Cheng, H., & Kinsy, M. A. (2019). Preventing neural network model exfiltration in machine learning hardware accelerators. In Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018 (pp. 62-67). Article 8607161 (Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/AsianHOST.2018.8607161

Preventing neural network model exfiltration in machine learning hardware accelerators. / Isakov, Mihailo; Bu, Lake; Cheng, Hai et al.
Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018. Institute of Electrical and Electronics Engineers Inc., 2019. p. 62-67 8607161 (Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Isakov, M, Bu, L, Cheng, H & Kinsy, MA 2019, Preventing neural network model exfiltration in machine learning hardware accelerators. in Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018., 8607161, Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018, Institute of Electrical and Electronics Engineers Inc., pp. 62-67, 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018, Hong Kong, Hong Kong, 12/17/18. https://doi.org/10.1109/AsianHOST.2018.8607161

Isakov M, Bu L, Cheng H, Kinsy MA. Preventing neural network model exfiltration in machine learning hardware accelerators. In Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018. Institute of Electrical and Electronics Engineers Inc. 2019. p. 62-67. 8607161. (Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018). doi: 10.1109/AsianHOST.2018.8607161

Isakov, Mihailo ; Bu, Lake ; Cheng, Hai et al. / Preventing neural network model exfiltration in machine learning hardware accelerators. Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018. Institute of Electrical and Electronics Engineers Inc., 2019. pp. 62-67 (Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018).

@inproceedings{9c2d61f49a7848eda29b907d53e41a4f,

title = "Preventing neural network model exfiltration in machine learning hardware accelerators",

abstract = "Machine learning (ML) models are often trained using private datasets that are very expensive to collect, or highly sensitive, using large amounts of computing power. The models are commonly exposed either through online APIs, or used in hardware devices deployed in the field or given to the end users. This provides an incentive for adversaries to steal these ML models as a proxy for gathering datasets. While API-based model exfiltration has been studied before, the theft and protection of machine learning models on hardware devices have not been explored as of now. In this work, we examine this important aspect of the design and deployment of ML models. We illustrate how an attacker may acquire either the model or the model architecture through memory probing, side-channels, or crafted input attacks, and propose (1) power-efficient obfuscation as an alternative to encryption, and (2) timing side-channel countermeasures.",

keywords = "Neural network, hardware security, inference, memory probing, model exfiltration, model theft, side-channels",

author = "Mihailo Isakov and Lake Bu and Hai Cheng and Kinsy, {Michel A.}",

note = "Publisher Copyright: {\textcopyright} 2018 IEEE.; 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018 ; Conference date: 17-12-2018 Through 18-12-2018",

year = "2019",

month = jan,

day = "9",

doi = "10.1109/AsianHOST.2018.8607161",

language = "English (US)",

series = "Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "62--67",

booktitle = "Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018",

}

TY - GEN

T1 - Preventing neural network model exfiltration in machine learning hardware accelerators

AU - Isakov, Mihailo

AU - Bu, Lake

AU - Cheng, Hai

AU - Kinsy, Michel A.

PY - 2019/1/9

Y1 - 2019/1/9

N2 - Machine learning (ML) models are often trained using private datasets that are very expensive to collect, or highly sensitive, using large amounts of computing power. The models are commonly exposed either through online APIs, or used in hardware devices deployed in the field or given to the end users. This provides an incentive for adversaries to steal these ML models as a proxy for gathering datasets. While API-based model exfiltration has been studied before, the theft and protection of machine learning models on hardware devices have not been explored as of now. In this work, we examine this important aspect of the design and deployment of ML models. We illustrate how an attacker may acquire either the model or the model architecture through memory probing, side-channels, or crafted input attacks, and propose (1) power-efficient obfuscation as an alternative to encryption, and (2) timing side-channel countermeasures.

AB - Machine learning (ML) models are often trained using private datasets that are very expensive to collect, or highly sensitive, using large amounts of computing power. The models are commonly exposed either through online APIs, or used in hardware devices deployed in the field or given to the end users. This provides an incentive for adversaries to steal these ML models as a proxy for gathering datasets. While API-based model exfiltration has been studied before, the theft and protection of machine learning models on hardware devices have not been explored as of now. In this work, we examine this important aspect of the design and deployment of ML models. We illustrate how an attacker may acquire either the model or the model architecture through memory probing, side-channels, or crafted input attacks, and propose (1) power-efficient obfuscation as an alternative to encryption, and (2) timing side-channel countermeasures.

KW - Neural network

KW - hardware security

KW - inference

KW - memory probing

KW - model exfiltration

KW - model theft

KW - side-channels

UR - http://www.scopus.com/inward/record.url?scp=85061711173&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85061711173&partnerID=8YFLogxK

U2 - 10.1109/AsianHOST.2018.8607161

DO - 10.1109/AsianHOST.2018.8607161

M3 - Conference contribution

AN - SCOPUS:85061711173

T3 - Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018

SP - 62

EP - 67

BT - Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018

Y2 - 17 December 2018 through 18 December 2018

ER -

Preventing neural network model exfiltration in machine learning hardware accelerators

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this